---
id: oauth2-token-introspection
title: OAuth 2.0 Token Introspection
---

import useBaseUrl from '@docusaurus/useBaseUrl'

The Token Introspection extension defines a mechanism for resource servers to
obtain information about access tokens. With this spec, resource servers can
check the validity of access tokens, and find out other information such as
which user and which scopes are associated with the token.

:::warning

Token Introspection is meant for first-party / internal use only. The endpoint
should not be exposed publicly.

:::

You can find more details on this endpoint in the
[ORY Hydra API Docs](https://www.ory.sh/docs/). You can also use the CLI command
`hydra token introspect <token>`.

Another helpful resource is
[Token Introspection Endpoint](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/).

## Examples

### NodeJS

```
const token = 'the access token'
const body = qs.stringify({ token })

fetch('http://ory-hydra/oauth2/introspect', {
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded',
      'Content-Length': body.length
    },
    method: 'POST', body
}).then(body => {
    if (!body.active) {
        // Token is not active/valid
    }

    // token is active
})
```

#### CURL

```bash
$ curl -X POST \
    -d 'token=<the-token>' \
    http://localhost:4445/oauth2/introspect
```
